Tutorial: Configure Domain Routing in Access Server
Access Server now supports domain routing rules for exact domains and wildcard domains. Secure VPN client access to specific domains.
Overview
Domain routing lets you control whether traffic to specific domains is sent through the VPN tunnel instead of routed directly to the internet. This is useful when IP-based routing is unreliable due to dynamic IPs or CDN-backed services.
You can configure domain routing rules:
Globally (applies to all users).
Per group.
Per individual user.
You can use one, some, or all of these levels at the same time, depending on your access requirements.
Domain routing rules support:
Exact domains (for example,
example.com): Traffic is routed through the VPN only when the destination matches the exact domain. Subdomains (such asapp.example.com) aren't included.Wildcard domains (for example,
*.example.com): Traffic is routed through the VPN for the specified domain and all of its subdomains.Wildcard TLDs (for example,
*.com): Traffic is routed through the VPN for all the domains that use this top-level domain (TLD).
Prerequisites
Access Server 3.1.0 or newer.
Admin Web UI access.
DNS server proxy enabled globally.
One or more users or groups configured in Access Server.
Important
Before you begin, be aware of the following behavior:
Traffic for domains not explicitly defined in domain routing rules behaves as follows:
When using full tunnel routing, traffic to other domains is still routed through the VPN if their resolved IP addresses are public IPs.
When using split tunnel routing, only traffic to domains explicitly defined in access rules is routed through the VPN. All other traffic is routed directly to your local internet.
When a domain is specified as the destination for a user or group rule:
Protocol and port options are disabled.
Domain-based access rules require DNS server proxy. This can only be disabled using split tunnel. If DNS server proxy is disabled, the rules remain visible but are marked as inactive with a warning icon.
Global domain routing rules apply to all users.
Sign in to the Admin Web UI.
Click Access Controls.
The Group and User Access Rules tab displays.
Click the Global Access Rules tab.
Under Domains, select the global routing mode:
NAT: Source IP appears as the Access Server public IP.
Route: Source IP appears as the VPN client's IP address.
Specify a domain, wildcard domain, or wildcard TLD in the Domains text field.
Click Save and Restart.
Important
For global domain routing rules, NAT or routing is defined globally and can't be configured per rule.
If you need to use both NAT and routing for different domains, configure domain routing rules at the user or group level instead.
Use this procedure to configure domain routing for a specific user or group.
Sign in to the Admin Web UI.
Click Users or Groups.
Select the user or group you want to configure.
Click the Access Rules tab.
Click New Access Rule.
In the Address field, enter a domain:
Use an exact domain (for example,
example.com) to match only that domain.Use a wildcard (for example,
*.example.com) to match the domain and all subdomains.Use a wildcard TLD (for example,
*.com) to match all the domains that use this TLD.
Select how the destination is reachable:
NAT: Source IP appears as the Access Server public IP.
Route: Source IP appears as the VPN client's IP address.
Observe that Protocol and Port fields are disabled when a domain is entered.
Click Save rule and Restart.
Click Access Controls.
The Group and User Access Rules tab is displayed.
Confirm the domain appears correctly in the Destination column of the Access Rules list for user and group access rules.
Click the Global Access Rules tab.
Confirm the global domain rules display under Global Access Rules > Domains.
If affected users are connected to the VPN when a domain routing rule changes, their VPN connections are re-established to apply the updated configuration.
You can edit or remove domain routing rules from either the global access rules page or from a specific user or group, depending on where the rule exists.
From the Global Access Rules tab
Click Access Controls.
The Group and User Access Rules tab displays.
Click the Global Access Rules tab.
Modify the domain in the Domains text field or click the Remove icon (minus sign) to delete the rule.
Click Save and Restart.
From the Access Rules page
Click Access Controls.
The Group and User Access Rules tab displays.
Locate the domain-based access rule from the Access Rules list.
Click the Edit icon for the rule to modify the domain or routing behavior, or click the Delete icon to remove the rule.
Save your changes.
Changes may require affected users to reconnect.
From the user or group page
Navigate to the user or group where the rule is defined.
Locate the domain-based access rule on the user's or group's access rules tab.
Click the Edit icon for the rule to modify the domain or routing behavior, or click the Delete icon to remove the rule.
Save your changes.
Changes may require affected users to reconnect.
Domain routing rules appear inactive
If domain-based rules are marked with a warning icon:
Verify that your DNS server proxy is enabled globally.
Domain routing doesn't function when the DNS server/proxy is disabled.
Traffic isn't routed through the VPN
Confirm the domain is spelled correctly.
Check whether a wildcard is required.
Ensure the user has reconnected since the rule was added.
Domain routing allows precise control over which domains are routed through the VPN, without relying on static IP addresses. You can apply rules globally or scope them to specific users or groups, using either exact or wildcard domains.